A prematurely leaked earnings release is the scenario that keeps many IROs up at night, and some of the market’s biggest names have been surprised in recent months when material news they hadn’t yet disclosed showed up on the financial newswires.

In every case, the leaked press releases were posted to a public – but unpublished – section of the companies’ web sites, enabling savvy – and aggressive – news organizations to gain access to the news before its scheduled disclosure without hacking passwords, breeching any firewalls or breaking any laws. The press releases were all posted to an unpublished web page, the URL of which was easily guessed by reporters.

Commenting on an incident in late 2010 for a Wall St. Journal blog, Bloomberg News issued the following explanation: “We found the release posted on the company’s website without any required password or firewall. The company failed to respond to multiple calls from us to verify the information on their website before we published our story.”

“An unpublished URL doesn’t create secure environment,” said Chris Antoline, Product Manager of Web Engagement at PR Newswire. “Posting a press release to a web page that is otherwise public is risky. People – and news spiders designed to hunt for content – don’t need URLs to find information.”

One shouldn’t rely solely upon the judgment of your company’s IT staff or a vendor – they may be unaware of how competitive the financial news reporting environment is, and the risks posed to the company.

Securing this content is not difficult, but many times your web team or vendor simply doesn’t understand the directives of IR Department or the importance of timing around announcements. A simple meeting or discussion to convey the concept of SEC guidelines around disclosure can guarantee that the web team is thinking in your best interests.

What’s NOT secure:

Unpublished URLs Draft or preview web pages that are not behind the firewall

Any URLs that might be dynamically-generated using some sort of numerical sequencing for database items, such as news releases. www.xyzcompany/about/news/1871 is NOT secure since a spider (or human) can easily add or remove a number to the URL, and pull up unpublished documents.

Any CMS which has security where you have not changed your password from “admin” or “login” or “password”

How to determine whether or not your practices are secure

Questions to ask your IT department or your vendor:

What are the security measures in place for protecting non-public content in our Content Management System (CMS)?

Is ‘dark’ content in our CMS able to be accessed publicly via a direct URL?

Does our CMS use sequential numbering for the database?

Can we password protect pages and content to prevent outsiders from accessing certain information which we only want a select group of people to access?

Another way to test the security of undisclosed documents is to try to access them yourself, from a home computer or smart phone that’s not attached to your company network. If you can pull up the test document via an unpublished URL, that’s a red flag. Others can do the same.

Be sure the proper security measures are adhered to by your CMS before publishing content that is not yet ready for the public to view.

Leveraging unpublished URLs can be an effective way to present content for the user experience you’re trying to accomplish on your website, but make sure all private, unpublished content is protected by a password.

Have your web team program the system to use non-sequential URL generators

Better yet, use a URL Editor, where not only do you make the system more secure but you help your SEO efforts as well.

Remember, as a publicly traded company it is ultimately your organization’s responsibility to ensure that yet-to-be-disclosed content is kept secure. Asking a few simple yet critical questions of your internal IT team or website vendor can go a long way in saving your company time, money and even market share repairing damage that could have been prevented.

It’s frightening to think that what’s supposed to be only shared within the office for the mean time are easily hacked or leaked by the public even before it is released. But the burden should be with the office’s IT department as it is their job to make sure that none is shared before the higher department says so. Security should always come first.

Leave a Reply

*Please enter comments.

Fill in your details below:

Email (required)

*Please enter an email address.

Name (required)

*Please enter a name.

Website

Subscribe Via Email

Subscribe to this blog and receive notifications of new posts by email.